Result Details
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-82540-6
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_fips_mode:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | high |
| Identifiers: | CCE-82540-6 |
| References: | | disa | CCI-002450, CCI-000068, CCI-002418, CCI-000877 | | ism | 1446 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12 | | ospp | FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1 | | os-srg | SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 |
|
| Description |
OpenShift has an installation-time flag that can enable FIPS mode
for the cluster. The flag fips: true must be enabled
at install time in the install-config.yaml file. If
this rule fails on an installed cluster, then this is a permanent
finding and cannot be fixed. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
To configure Red Hat Enterprise Linux CoreOS 4 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
Only enabling FIPS 140 mode during the Red Hat Enterprise Linux CoreOS 4 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. |
OVAL test results details
/etc/system-fips exists
oval:ssg-test_etc_system_fips:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_system_fips:obj:1 of type
file_object
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sysctl_crypto_fips_enabled:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /proc/sys/crypto/fips_enabled | ^1$ | 1 |
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1761074186 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/crypto-policies/back-ends/nss.config | symbolic link | 0 | 0 | 42 | rwxrwxrwx |
tests if var_system_crypto_policy is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_system_crypto_policy:var:1 | FIPS |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-82541-4
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | high |
| Identifiers: | CCE-82541-4 |
| References: | | disa | CCI-000068, CCI-003123, CCI-002450, CCI-000877, CCI-002418, CCI-001453, CCI-002890 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii) | | ism | 1446 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1 | | nist | AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3) | | ospp | FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1 | | os-srg | SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | pcidss4 | 2.2.7, 2.2 |
|
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, create a MachineConfig as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 50-master-configure-crypto-policy
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: configure-crypto-policy.service
enabled: true
contents: |
[Unit]
Before=kubelet.service
[Service]
Type=oneshot
ExecStart=update-crypto-policies --set FIPS
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
This will configure the crypto policy appropriately in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
|
OVAL test results details
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1761074186 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/crypto-policies/back-ends/nss.config | symbolic link | 0 | 0 | 42 | rwxrwxrwx |
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy highCCE-82547-1
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | high |
| Identifiers: | CCE-82547-1 |
| References: | | disa | CCI-000803 | | ism | 0418, 1055, 1402 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | SC-13, SC-12(2), SC-12(3) | | os-srg | SRG-OS-000120-GPOS-00061 |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. |
OVAL test results details
Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file
oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Check if kerberos configuration symlink links to the crypto-policy backend file
oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-82545-5
Configure OpenSSL library to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | medium |
| Identifiers: | CCE-82545-5 |
| References: | | disa | CCI-001453 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1 | | nist | AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3) | | ospp | FCS_CKM.1, FCS_CKM.1.1, FCS_CKM.2, FCS_COP.1/ENCRYPT, FCS_COP.1/HASH, FCS_COP.1/SIGN, FCS_COP.1/KEYHMAC, FCS_TLSC_EXT.1, FCS_TLSC_EXT.1.1 | | pcidss | Req-2.2 | | os-srg | SRG-OS-000250-GPOS-00093 |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf.
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. |
| Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. |
OVAL test results details
Check that the configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_openssl_crypto_policy:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pki/tls/openssl.cnf |
[ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy medium
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | medium |
| References: | | disa | CCI-001453 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii) | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1 | | nist | AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13 | | ospp | FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1 | | pcidss | Req-2.2 | | os-srg | SRG-OS-000250-GPOS-00093 | | pcidss4 | 2.2.7, 2.2 |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
OVAL test results details
Check that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-82737-8
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | low |
| Identifiers: | CCE-82737-8 |
| References: | | cis-csc | 1, 12, 14, 15, 16, 3, 5, 6, 8 | | cobit5 | APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3 | | nerc-cip | CIP-007-3 R6.5 | | nist | CM-6(a), AU-4, SC-5(2) | | nist-csf | PR.PT-1, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R28 |
|
| Description | System logs are stored in the /var/log directory.
Partitioning Red Hat CoreOS is a Day 1 operation and cannot
be changed afterwards. For documentation on how to add a
MachineConfig manifest that specifies a separate /var/log
partition, follow:
https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic
Note that the Red Hat OpenShift documentation often references a block
device, such as /dev/vda. The name of the available block devices depends
on the underlying infrastructure (bare metal vs cloud), and often the specific
instance type. For example in AWS, some instance types have NVMe drives
(/dev/nvme*), others use /dev/xvda*.
You will need to look for relevant documentation for your infrastructure around this.
In many cases, the simplest thing is to boot a single machine with an Ignition
configuration that just gives you SSH access, and inspect the block devices via
e.g. the lsblk command.
For physical hardware, a good best practice is to reference devices via the
/dev/disk/by-id/ or /dev/disk/by-path links.
|
| Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. |
Evaluation messagesinfo
No candidate or applicable check found. |
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-82738-6
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | low |
| Identifiers: | CCE-82738-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8 | | cobit5 | APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000366, CCI-001849 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1 | | nerc-cip | CIP-007-3 R6.5 | | nist | CM-6(a), AU-4, SC-5(2) | | nist-csf | PR.DS-4, PR.PT-1, PR.PT-4 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000357-CTR-000800, CNTR-OS-000200, CNTR-OS-000670 | | anssi | R71 |
|
| Description | Audit logs are stored in the /var/log/audit directory.
Partitioning Red Hat CoreOS is a Day 1 operation and cannot
be changed afterwards. For documentation on how to add a
MachineConfig manifest that specifies a separate /var/log/audit
partition, follow:
https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic
Note that the Red Hat OpenShift documentation often references a block
device, such as /dev/vda. The name of the available block devices depends
on the underlying infrastructure (bare metal vs cloud), and often the specific
instance type. For example in AWS, some instance types have NVMe drives
(/dev/nvme*), others use /dev/xvda*.
You will need to look for relevant documentation for your infrastructure around this.
In many cases, the simplest thing is to boot a single machine with an Ignition
configuration that just gives you SSH access, and inspect the block devices via
e.g. the lsblk command.
For physical hardware, a good best practice is to reference devices via the
/dev/disk/by-id/ or /dev/disk/by-path links.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
Evaluation messagesinfo
No candidate or applicable check found. |
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82523-2
Install sudo Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sudo_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sudo_installed:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | medium |
| Identifiers: | CCE-82523-2 |
| References: | |
| Description | The sudo package can be installed with the following command:
$ sudo dnf install sudo
|
| Rationale | sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.
|
OVAL test results details
package sudo is installed
oval:ssg-test_package_sudo_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | sudo | x86_64 | (none) | 10.el9_6.2 | 1.9.5p2 | 0:1.9.5p2-10.el9_6.2 | 199e2f91fd431d51 | sudo-0:1.9.5p2-10.el9_6.2.x86_64 |
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-82555-4
Modify the System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-banner_etc_issue:def:1 |
| Time | 2025-10-23T19:33:57+00:00 |
| Severity | medium |
| Identifiers: | CCE-82555-4 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.9 | | disa | CCI-001387, CCI-001384, CCI-000048, CCI-001386, CCI-001388, CCI-001385 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-8(a), AC-8(c) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 |
|
| Description |
To configure the system login banner create a file under
/etc/issue.d
The Machine Configuration provided with this rule is generic. You may need
to adjust it accordingly to fit your usecase.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
To address this, please create a MachineConfig object with the
appropriate text in a drop-in file in /etc/issue.d/. You can also
use the supplied remediation, which will be available based on scan results
using `oc get remediations`. The default remediation is opinionated and you
may need to adjust the MachineConfig accordingly for your use
case.
Do not try to edit /etc/issue directly as this is a symlink
provided by the Operating System.
For example, if you're using the DoD required text, the manifest would
look as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-etc-issue
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
mode: 0644
path: /etc/issue.d/legal-notice
overwrite: true
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
|
OVAL test results details
correct banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/issue.d/21_clhm_ssh_host_keys.issue | SSH host key: SHA256:ymI3nRAhQu/SC0DhftaobNkq0FSAAshXys24rlD2IpY (ED25519)
SSH host key: SHA256:PaH6RyAPU9QxEjKlJzQ1eXrumgB1phSxsqSkSRmg10k (ECDSA)
SSH host key: SHA256:JAEcpyMoW1UALCWVItU63sfLBYNk8HJtwiH1ZCoO4Ko (RSA)
|
| false | /etc/issue.d/22_clhm_enp126s0.issue | enp126s0: \4{enp126s0} \6{enp126s0}
|
| false | /etc/issue | \S
Kernel \r on an \m
|
Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells low
Prevent user from disabling the screen lock
| Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_tmux_in_shells:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | low |
| References: | | disa | CCI-002235, CCI-000056 | | nist | CM-6 | | ospp | FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 |
|
| Description | The tmux terminal multiplexer is used to implement
automatic session locking. It should not be listed in
/etc/shells. |
| Rationale | Not listing tmux among permitted shells
prevents malicious program running as user
from lowering security by disabling the screen lock. |
|
OVAL test results details
check that tmux is not listed in /etc/shells
oval:ssg-test_no_tmux_in_shells:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/shells | tmux |
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-82496-1
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82496-1 |
| References: | | cui | 3.4.5 | | disa | CCI-000366, CCI-002235 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | nist | CM-6 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 |
|
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-debug-shell-disable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: debug-shell.service
enabled: false
mask: true
- name: debug-shell.socket
enabled: false
mask: true
This will disable the debug-shell service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
|
|
OVAL test results details
package systemd is removed
oval:ssg-service_debug-shell_disabled_test_service_debug-shell_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | systemd | x86_64 | (none) | 51.el9_6.2 | 252 | 0:252-51.el9_6.2 | 199e2f91fd431d51 | systemd-0:252-51.el9_6.2.x86_64 |
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_service_debug-shell_disabled_debug-shell:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | debug-shell.service | ActiveState | inactive |
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_service_debug-shell_disabled_debug-shell:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | debug-shell.service | LoadState | loaded |
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot mediumCCE-83548-8
Verify that Interactive Boot is Disabled
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_disable_interactive_boot:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-83548-8 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.2, 3.4.5 | | disa | CCI-000213 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | SC-2(1), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument. |
| Rationale | Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security. |
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-82495-3
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_burstaction:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | high |
| Identifiers: | CCE-82495-3 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | disa | CCI-000366, CCI-002235 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1), CM-6(a) | | nist-csf | PR.AC-4, PR.DS-5 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 |
|
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, create a MachineConfig similar to the following:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-disable-ctrlaltdel-burstaction
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,CtrlAltDelBurstAction%3Dnone
mode: 0644
path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
overwrite: true
EOF
This will add the relevant configuration to /etc/systemd/system.conf.d/,
thus configuring Systemd apropriately.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
|
OVAL test results details
check if CtrlAltDelBurstAction is set to none
oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/systemd/system.conf(\.d/.*\.conf)?$ | ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ | 1 |
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-82493-8
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_reboot:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | high |
| Identifiers: | CCE-82493-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | disa | CCI-000366, CCI-002235 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 |
|
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, create a MachineConfig
similar to the following:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-disable-ctrlaltdel-reboot
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: ctrl-alt-del.target
mask: true
EOF
This will mask the ctrl-alt-del.target systemd target for all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
|
OVAL test results details
Disable Ctrl-Alt-Del key sequence override exists
oval:ssg-test_disable_ctrlaltdel_exists:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| false | /etc/systemd/system/ctrl-alt-del.target | /usr/lib/systemd/system/reboot.target |
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-82550-5
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82550-5 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.1.1, 3.4.5 | | disa | CCI-000213 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, AC-3, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000080-GPOS-00048 |
|
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results details
Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service_distro:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Check that there is no override file for rescue.service with Execstart - directive
oval:ssg-test_rescue_service_not_overridden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_rescue_service_override:obj:1 of type
textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance |
|---|
| no value | /etc/systemd/system/rescue.service.d | ^.*\.conf$ | ^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$ | 1 |
Tests that/usr/lib/systemd/systemd-sulogin-shell is defined in /etc/systemd/system/rescue.service.d/*.conf
oval:ssg-test_require_rescue_service_override:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_rescue_service_override:obj:1 of type
textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance |
|---|
| no value | /etc/systemd/system/rescue.service.d | ^.*\.conf$ | ^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$ | 1 |
Tests that the systemd rescue.service is in the runlevel1.target
oval:ssg-test_require_rescue_service_runlevel1:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/runlevel1.target | Requires=sysinit.target rescue.service |
look for runlevel1.target in /etc/systemd/system
oval:ssg-test_no_custom_runlevel1_target:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^runlevel1.target$ |
look for rescue.service in /etc/systemd/system
oval:ssg-test_no_custom_rescue_service:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_rescue_service:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^rescue.service$ |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-82553-9
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | high |
| Identifiers: | CCE-82553-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2 | | cobit5 | APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10 | | cui | 3.1.1, 3.1.5 | | disa | CCI-000366 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | IA-5(1)(a), IA-5(c), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5 | | ospp | FIA_UAU.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 8.3.1, 8.3 |
|
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
|
OVAL test results details
make sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/password-auth | auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
| not evaluated | /etc/pam.d/system-auth | auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-82667-7
Verify No netrc Files Exist
| Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_netrc_files:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82667-7 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | disa | CCI-000196 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 |
|
| Description | The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed. |
| Rationale | Unencrypted passwords for remote FTP servers may be stored in .netrc
files. |
OVAL test results details
look for .netrc in /home
oval:ssg-test_no_netrc_files_home:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_netrc_files_home:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /home | ^\.netrc$ |
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-82699-0
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | high |
| Identifiers: | CCE-82699-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10 | | cui | 3.1.1, 3.1.5 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, AC-6(5), IA-4(b) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5 | | pcidss | Req-8.5 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 8.2.1, 8.2 |
|
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
OVAL test results details
test that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_no_uid_except_root:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-82698-2
Direct root Logins Not Allowed
| Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_direct_root_logins:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82698-2 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.1, 3.1.6 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | anssi | R33 | | pcidss4 | 8.6.1, 8.6 |
|
| Description | To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enterprise Linux CoreOS 4's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
|
| Rationale | Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems. |
| Warnings | warning
This rule only checks the /etc/securetty file existence and its content.
If you need to restrict user access using the /etc/securetty file, make sure
the pam_securetty.so PAM module is properly enabled in relevant PAM files. |
|
OVAL test results details
no entries in /etc/securetty
oval:ssg-test_no_direct_root_logins:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_direct_root_logins:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^$ | 1 |
/etc/securetty file exists
oval:ssg-test_etc_securetty_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_securetty_exists:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^.*$ | 1 |
Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-82697-4
Ensure that System Accounts Do Not Run a Shell Upon Login
| Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_shelllogin_for_systemaccounts:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82697-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cobit5 | DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | ism | 1491 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | AC-6, CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 8.2.2, 8.2 |
|
| Description | Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
|
| Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for
attackers to make use of system accounts. |
| Warnings | warning
Do not perform the steps in this section on the root account. Doing so might cause the
system to become inaccessible. |
OVAL test results details
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, UID_MIN - 1> system UIDs having shell set
oval:ssg-test_shell_defined_default_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash |
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, SYS_UID_MIN> system UIDs having shell set
oval:ssg-test_shell_defined_reserved_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash |
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set
oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash |
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument highCCE-82497-9
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_pti_kernel_argument:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | high |
| Identifiers: | CCE-82497-9 |
| References: | |
| Description | To enable Kernel page-table isolation, add the argument pti=on to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in /boot/loader/entries/*.conf. |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR). |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument pti=on is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Disable vsyscallsxccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument mediumCCE-82674-3
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_vsyscall_kernel_argument:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82674-3 |
| References: | | nist | CM-7(a) | | os-srg | SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610 |
|
| Description | To disable use of virtual syscalls, add the argument vsyscall=none to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in /boot/loader/entries/*.conf. |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer. |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument vsyscall=none is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated mediumCCE-82689-1
Ensure Logrotate Runs Periodically
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_logrotate_activated:def:1 |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82689-1 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a) | | nist-csf | PR.PT-1 | | pcidss | Req-10.7 | | anssi | R71 |
|
| Description | The logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
which triggers a cron task or a timer. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
daily
|
| Rationale | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. |
|
OVAL test results details
package logrotate is installed
oval:ssg-test_package_logrotate_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | logrotate | x86_64 | (none) | 9.el9 | 3.18.0 | 0:3.18.0-9.el9 | 199e2f91fd431d51 | logrotate-0:3.18.0-9.el9.x86_64 |
Tests the presence of daily setting in /etc/logrotate.conf file
oval:ssg-test_logrotate_conf_daily_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/logrotate.conf | ^\s*daily[\s#]*$ | 1 |
Test if there is no weekly/monthly/yearly keyword
oval:ssg-test_logrotate_conf_no_other_keyword:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/logrotate.conf | weekly
|
Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)
oval:ssg-test_cron_daily_logrotate_existence:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_cron_daily_logrotate_existence:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/cron.daily/logrotate | ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ | 1 |
look for logrotate.timer in multi-user.target.wants and timers.target.wants
oval:ssg-test_logrotate_enabled_systemd_target:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/systemd/system/timers.target.wants/logrotate.timer | symbolic link | 0 | 0 | 39 | rwxrwxrwx |
Install iptables-nft Packagexccdf_org.ssgproject.content_rule_package_iptables-nft_installed mediumCCE-86834-9
Install iptables-nft Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iptables-nft_installed |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:34:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-86834-9 |
| References: | |
| Description | The iptables-nft package can be installed with the following command:
$ sudo dnf install iptables-nft
|
| Rationale | iptables-nft controls the Linux kernel network packet filtering
code. iptables-nft allows system operators to set up firewalls and IP
masquerading, etc.
|
Install iptables Packagexccdf_org.ssgproject.content_rule_package_iptables_installed mediumCCE-82522-4
Install iptables Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iptables_installed |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:34:04+00:00 |
| Severity | medium |
| Identifiers: | CCE-82522-4 |
| References: | |
| Description | The iptables package can be installed with the following command:
$ sudo dnf install iptables
|
| Rationale | iptables controls the Linux kernel network packet filtering
code. iptables allows system operators to set up firewalls and IP
masquerading, etc.
|
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-82467-2
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 |
| Time | 2025-10-23T19:34:16+00:00 |
| Severity | medium |
| Identifiers: | CCE-82467-2 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0
|
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.accept_ra | 1 |
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-82471-4
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 |
| Time | 2025-10-23T19:34:21+00:00 |
| Severity | medium |
| Identifiers: | CCE-82471-4 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
|
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
|
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1
|
net.ipv6.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-82480-5
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 |
| Time | 2025-10-23T19:34:25+00:00 |
| Severity | medium |
| Identifiers: | CCE-82480-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 | | cobit5 | APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.all.accept_source_route | 0 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-82468-0
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 |
| Time | 2025-10-23T19:34:28+00:00 |
| Severity | medium |
| Identifiers: | CCE-82468-0 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0
|
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.default.accept_ra | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-82477-1
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 |
| Time | 2025-10-23T19:34:33+00:00 |
| Severity | medium |
| Identifiers: | CCE-82477-1 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
|
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
|
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1
|
net.ipv6.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.default.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-82481-3
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 |
| Time | 2025-10-23T19:34:38+00:00 |
| Severity | medium |
| Identifiers: | CCE-82481-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 | | cobit5 | APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 | | pcidss4 | 1.4.2, 1.4 |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.default.accept_source_route | 0 |
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-82469-8
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 |
| Time | 2025-10-23T19:34:42+00:00 |
| Severity | medium |
| Identifiers: | CCE-82469-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required." |
|
OVAL test results details
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
|
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1
|
net.ipv4.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-82478-9
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 |
| Time | 2025-10-23T19:34:48+00:00 |
| Severity | medium |
| Identifiers: | CCE-82478-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
OVAL test results details
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.all.accept_source_route | 0 |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-82486-2
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1 |
| Time | 2025-10-23T19:34:54+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82486-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), SC-5(3)(a) | | nist-csf | DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1
|
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
OVAL test results details
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-82488-8
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 |
| Time | 2025-10-23T19:34:58+00:00 |
| Severity | medium |
| Identifiers: | CCE-82488-8 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.3, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
OVAL test results details
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.rp_filter | 0 |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-82482-1
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1 |
| Time | 2025-10-23T19:35:04+00:00 |
| Severity | medium |
| Identifiers: | CCE-82482-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-001503, CCI-001551 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.3, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
|
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
|
OVAL test results details
net.ipv4.conf.all.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
|
net.ipv4.conf.all.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1
|
net.ipv4.conf.all.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.secure_redirects | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-82470-6
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 |
| Time | 2025-10-23T19:35:08+00:00 |
| Severity | medium |
| Identifiers: | CCE-82470-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.3, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required. |
|
OVAL test results details
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
|
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1
|
net.ipv4.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.default.accept_redirects | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-82479-7
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 |
| Time | 2025-10-23T19:35:12+00:00 |
| Severity | medium |
| Identifiers: | CCE-82479-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router. |
OVAL test results details
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.accept_source_route = 0 |
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.accept_source_route | 0 |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-82487-0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1 |
| Time | 2025-10-23T19:35:17+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82487-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), SC-5(3)(a) | | nist-csf | DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1
|
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
OVAL test results details
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.default.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-82489-6
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1 |
| Time | 2025-10-23T19:35:21+00:00 |
| Severity | medium |
| Identifiers: | CCE-82489-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1
|
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
OVAL test results details
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.rp_filter = 2 |
| true | /usr/lib/sysctl.d/50-redhat.conf | net.ipv4.conf.default.rp_filter = 1 |
kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.rp_filter | 1 |
Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-82483-9
Configure Kernel Parameter for Accepting Secure Redirects By Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1 |
| Time | 2025-10-23T19:35:25+00:00 |
| Severity | medium |
| Identifiers: | CCE-82483-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-001551 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0
|
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
|
OVAL test results details
net.ipv4.conf.default.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
|
net.ipv4.conf.default.secure_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1
|
net.ipv4.conf.default.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.default.secure_redirects | 1 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-82491-2
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 |
| Time | 2025-10-23T19:35:28+00:00 |
| Severity | medium |
| Identifiers: | CCE-82491-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5 | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 1.4.2, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1
|
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network. |
|
OVAL test results details
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.icmp_echo_ignore_broadcasts | 1 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-82490-4
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1 |
| Time | 2025-10-23T19:35:35+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82490-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5 | | nist-csf | DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.2, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
| Rationale | Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged. |
|
OVAL test results details
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.icmp_ignore_bogus_error_responses | 1 |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-82492-0
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1 |
| Time | 2025-10-23T19:35:40+00:00 |
| Severity | medium |
| Identifiers: | CCE-82492-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | disa | CCI-001095, CCI-000366, CCI-002385 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.1 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071 | | anssi | R12 | | pcidss4 | 1.4.3, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
| Rationale | A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests. |
|
OVAL test results details
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.tcp_syncookies | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-82484-7
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 |
| Time | 2025-10-23T19:35:46+00:00 |
| Severity | medium |
| Identifiers: | CCE-82484-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.5, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
|
OVAL test results details
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
|
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1
|
net.ipv4.conf.all.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.send_redirects | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-82485-4
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | medium |
| Identifiers: | CCE-82485-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | disa | CCI-000366 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | pcidss4 | 1.4.5, 1.4 |
|
| Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
|
OVAL test results details
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
|
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1
|
net.ipv4.conf.default.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.default.send_redirects | 1 |
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82518-2
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_atm_disabled:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | medium |
| Identifiers: | CCE-82518-2 |
| References: | | disa | CCI-000381 | | nist | AC-18 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 |
|
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/false
|
| Rationale | Disabling ATM protects the system against exploitation of any
flaws in its implementation. |
|
OVAL test results details
kernel module atm blacklisted
oval:ssg-test_kernmod_atm_blacklisted:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/modprobe.d/atm-blacklist.conf | blacklist atm |
kernel module atm disabled
oval:ssg-test_kernmod_atm_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_atm_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82519-0
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_can_disabled:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | medium |
| Identifiers: | CCE-82519-0 |
| References: | | disa | CCI-000381 | | nist | AC-18 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 |
|
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/false
|
| Rationale | Disabling CAN protects the system against exploitation of any
flaws in its implementation. |
|
OVAL test results details
kernel module can blacklisted
oval:ssg-test_kernmod_can_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+can$ | 1 |
kernel module can disabled
oval:ssg-test_kernmod_can_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_can_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled lowCCE-82517-4
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_firewire-core_disabled:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | low |
| Identifiers: | CCE-82517-4 |
| References: | |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/false
|
| Rationale | Disabling FireWire protects the system against exploitation of any
flaws in its implementation. |
|
OVAL test results details
kernel module firewire-core blacklisted
oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+firewire-core$ | 1 |
kernel module firewire-core disabled
oval:ssg-test_kernmod_firewire-core_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-82516-6
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_sctp_disabled:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | medium |
| Identifiers: | CCE-82516-6 |
| References: | | cis-csc | 11, 14, 3, 9 | | cjis | 5.10.1 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | disa | CCI-000381 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-1.4.2 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | pcidss4 | 1.4.2, 1.4 |
|
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/false
|
| Rationale | Disabling SCTP protects
the system against exploitation of any flaws in its implementation. |
|
OVAL test results details
kernel module sctp blacklisted
oval:ssg-test_kernmod_sctp_blacklisted:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/modprobe.d/sctp-blacklist.conf | blacklist sctp |
kernel module sctp disabled
oval:ssg-test_kernmod_sctp_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_sctp_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled lowCCE-82520-8
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_tipc_disabled:def:1 |
| Time | 2025-10-23T19:35:50+00:00 |
| Severity | low |
| Identifiers: | CCE-82520-8 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | disa | CCI-000381 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000095-GPOS-00049 |
|
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/false
|
| Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
|
OVAL test results details
kernel module tipc blacklisted
oval:ssg-test_kernmod_tipc_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+tipc$ | 1 |
kernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_tipc_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
Disable Bluetooth Servicexccdf_org.ssgproject.content_rule_service_bluetooth_disabled medium
Disable Bluetooth Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_bluetooth_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | cui | 3.1.16 | | disa | CCI-000085, CCI-001551 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 |
|
| Description |
The bluetooth service can be disabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-bluetooth-disable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: bluetooth.service
enabled: false
mask: true
- name: bluetooth.socket
enabled: false
mask: true
This will disable the bluetooth service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
$ sudo service bluetooth stop
|
| Rationale | Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. |
OVAL test results details
package bluez is removed
oval:ssg-service_bluetooth_disabled_test_service_bluetooth_package_bluez_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_bluetooth_disabled_test_service_bluetooth_package_bluez_removed:obj:1 of type
rpminfo_object
Test that the bluetooth service is not running
oval:ssg-test_service_not_running_service_bluetooth_disabled_bluetooth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_service_bluetooth_disabled_bluetooth:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^bluetooth\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service bluetooth is masked
oval:ssg-test_service_loadstate_is_masked_service_bluetooth_disabled_bluetooth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_service_bluetooth_disabled_bluetooth:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^bluetooth\.(service|socket)$ | LoadState |
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-82515-8
Disable Bluetooth Kernel Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_bluetooth_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-82515-8 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cjis | 5.13.1.3 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | cui | 3.1.16 | | disa | CCI-001443, CCI-000381 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 |
|
| Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
|
| Rationale | If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
OVAL test results details
kernel module bluetooth blacklisted
oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+bluetooth$ | 1 |
kernel module bluetooth disabled
oval:ssg-test_kernmod_bluetooth_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel cfg80211 Modulexccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled mediumCCE-85932-2
Disable Kernel cfg80211 Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_cfg80211_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-85932-2 |
| References: | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4) |
|
| Description |
To configure the system to prevent the cfg80211
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cfg80211.conf:
install cfg80211 /bin/false
|
| Rationale | If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
OVAL test results details
kernel module cfg80211 blacklisted
oval:ssg-test_kernmod_cfg80211_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cfg80211_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+cfg80211$ | 1 |
kernel module cfg80211 disabled
oval:ssg-test_kernmod_cfg80211_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cfg80211_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$ | 1 |
kernel module cfg80211 disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_cfg80211_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cfg80211_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel iwlmvm Modulexccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled mediumCCE-85933-0
Disable Kernel iwlmvm Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_iwlmvm_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-85933-0 |
| References: | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4) |
|
| Description |
To configure the system to prevent the iwlmvm
kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlmvm.conf:
install iwlmvm /bin/false
|
| Rationale | If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
OVAL test results details
kernel module iwlmvm blacklisted
oval:ssg-test_kernmod_iwlmvm_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlmvm_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+iwlmvm$ | 1 |
kernel module iwlmvm disabled
oval:ssg-test_kernmod_iwlmvm_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlmvm_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$ | 1 |
kernel module iwlmvm disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_iwlmvm_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlmvm_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel iwlwifi Modulexccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled mediumCCE-85934-8
Disable Kernel iwlwifi Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_iwlwifi_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-85934-8 |
| References: | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4) |
|
| Description |
To configure the system to prevent the iwlwifi
kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlwifi.conf:
install iwlwifi /bin/false
|
| Rationale | If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
OVAL test results details
kernel module iwlwifi blacklisted
oval:ssg-test_kernmod_iwlwifi_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlwifi_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+iwlwifi$ | 1 |
kernel module iwlwifi disabled
oval:ssg-test_kernmod_iwlwifi_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlwifi_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$ | 1 |
kernel module iwlwifi disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_iwlwifi_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_iwlwifi_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel mac80211 Modulexccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled mediumCCE-85935-5
Disable Kernel mac80211 Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_mac80211_disabled:def:1 |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-85935-5 |
| References: | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4) |
|
| Description |
To configure the system to prevent the mac80211
kernel module from being loaded, add the following line to the file /etc/modprobe.d/mac80211.conf:
install mac80211 /bin/false
|
| Rationale | If Wireless functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
OVAL test results details
kernel module mac80211 blacklisted
oval:ssg-test_kernmod_mac80211_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_mac80211_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+mac80211$ | 1 |
kernel module mac80211 disabled
oval:ssg-test_kernmod_mac80211_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_mac80211_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+mac80211\s+(/bin/false|/bin/true)$ | 1 |
kernel module mac80211 disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_mac80211_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_mac80211_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+mac80211\s+(/bin/false|/bin/true)$ | 1 |
Disable WiFi or Bluetooth in BIOSxccdf_org.ssgproject.content_rule_wireless_disable_in_bios unknownCCE-82659-4
Disable WiFi or Bluetooth in BIOS
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_in_bios |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82659-4 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | disa | CCI-000085 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 |
|
| Description | Some machines that include built-in wireless support offer the
ability to disable the device through the BIOS. This is hardware-specific;
consult your hardware manual or explore the BIOS setup during
boot. |
| Rationale | Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
to reboot the system first. |
Evaluation messagesinfo
No candidate or applicable check found. |
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-82660-2
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:35:52+00:00 |
| Severity | medium |
| Identifiers: | CCE-82660-2 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | cui | 3.1.16 | | disa | CCI-001443, CCI-001444, CCI-002421, CCI-002418 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | ism | 1315, 1319 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.3.3 | | os-srg | SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-00481 | | pcidss4 | 1.3.3, 1.3 |
|
| Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
|
| Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks mediumCCE-82506-7
Enable Kernel Parameter to Enforce DAC on Hardlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_hardlinks:def:1 |
| Time | 2025-10-23T19:35:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82506-7 |
| References: | | disa | CCI-002235, CCI-002165 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | os-srg | SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 | | anssi | R14 |
|
| Description | To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1
|
| Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat(). |
OVAL test results details
fs.protected_hardlinks static configuration
oval:ssg-test_sysctl_fs_protected_hardlinks_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_hardlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_hardlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_hardlinks:obj:1
|
fs.protected_hardlinks static configuration
oval:ssg-test_sysctl_fs_protected_hardlinks_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_hardlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_hardlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_hardlinks:obj:1
|
fs.protected_hardlinks static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_fs_protected_hardlinks_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | fs.protected_hardlinks = 1 |
kernel runtime parameter fs.protected_hardlinks set to 1
oval:ssg-test_sysctl_fs_protected_hardlinks_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | fs.protected_hardlinks | 1 |
Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks mediumCCE-82507-5
Enable Kernel Parameter to Enforce DAC on Symlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_symlinks:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82507-5 |
| References: | | disa | CCI-002235, CCI-002165 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | os-srg | SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 | | anssi | R14 |
|
| Description | To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1
|
| Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat(). |
OVAL test results details
fs.protected_symlinks static configuration
oval:ssg-test_sysctl_fs_protected_symlinks_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_symlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_symlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_symlinks:obj:1
|
fs.protected_symlinks static configuration
oval:ssg-test_sysctl_fs_protected_symlinks_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_symlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_symlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_symlinks:obj:1
|
fs.protected_symlinks static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_fs_protected_symlinks_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | fs.protected_symlinks = 1
|
kernel runtime parameter fs.protected_symlinks set to 1
oval:ssg-test_sysctl_fs_protected_symlinks_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | fs.protected_symlinks | 1 |
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-82663-6
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82663-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.4.6 | | disa | CCI-000778, CCI-000366, CCI-001958 | | hipaa | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 |
|
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-autofs-disable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: autofs.service
enabled: false
mask: true
- name: autofs.socket
enabled: false
mask: true
This will disable the autofs service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity. |
Disable Booting from USB Devices in Boot Firmwarexccdf_org.ssgproject.content_rule_bios_disable_usb_boot unknownCCE-82662-8
Disable Booting from USB Devices in Boot Firmware
| Rule ID | xccdf_org.ssgproject.content_rule_bios_disable_usb_boot |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82662-8 |
| References: | | cis-csc | 12, 16 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | disa | CCI-001250 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1 | | nist | MP-7, CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.AC-6 |
|
| Description | Configure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives. |
| Rationale | Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS. |
Evaluation messagesinfo
No candidate or applicable check found. |
Disable Kernel Support for USB via Bootloader Configurationxccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument mediumCCE-83443-2
Disable Kernel Support for USB via Bootloader Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_nousb_kernel_argument:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-83443-2 |
| References: | | cis-csc | 12, 16 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | disa | CCI-001250 | | hipaa | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1 | | nist | MP-7, CM-6(a) | | nist-csf | PR.AC-3, PR.AC-6 |
|
| Description | All USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
Add the nousb kernel argument via a MachineConfig
object. |
| Rationale | Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems. |
| Warnings | warning
Disabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common. |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument nousb is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-82514-1
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_cramfs_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82514-1 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | disa | CCI-000381 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000095-GPOS-00049 |
|
| Description |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem.
The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface
of the server. |
|
OVAL test results details
kernel module cramfs blacklisted
oval:ssg-test_kernmod_cramfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+cramfs$ | 1 |
kernel module cramfs disabled
oval:ssg-test_kernmod_cramfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-82713-9
Disable Mounting of freevxfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_freevxfs_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82713-9 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
install freevxfs /bin/false
This effectively prevents usage of this uncommon filesystem. |
| Rationale | Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled. |
|
OVAL test results details
kernel module freevxfs blacklisted
oval:ssg-test_kernmod_freevxfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_freevxfs_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+freevxfs$ | 1 |
kernel module freevxfs disabled
oval:ssg-test_kernmod_freevxfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_freevxfs_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module freevxfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-82714-7
Disable Mounting of hfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_hfs_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82714-7 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:
install hfs /bin/false
This effectively prevents usage of this uncommon filesystem. |
| Rationale | Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled. |
|
OVAL test results details
kernel module hfs blacklisted
oval:ssg-test_kernmod_hfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfs_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+hfs$ | 1 |
kernel module hfs disabled
oval:ssg-test_kernmod_hfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfs_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module hfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_hfs_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-82715-4
Disable Mounting of hfsplus
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_hfsplus_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82715-4 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:
install hfsplus /bin/false
This effectively prevents usage of this uncommon filesystem. |
| Rationale | Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled. |
|
OVAL test results details
kernel module hfsplus blacklisted
oval:ssg-test_kernmod_hfsplus_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfsplus_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+hfsplus$ | 1 |
kernel module hfsplus disabled
oval:ssg-test_kernmod_hfsplus_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfsplus_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ | 1 |
kernel module hfsplus disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-82716-2
Disable Mounting of jffs2
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_jffs2_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82716-2 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
install jffs2 /bin/false
This effectively prevents usage of this uncommon filesystem. |
| Rationale | Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled. |
|
OVAL test results details
kernel module jffs2 blacklisted
oval:ssg-test_kernmod_jffs2_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_jffs2_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+jffs2$ | 1 |
kernel module jffs2 disabled
oval:ssg-test_kernmod_jffs2_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_jffs2_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ | 1 |
kernel module jffs2 disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-82717-0
Disable Mounting of squashfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_squashfs_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82717-0 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem.
The squashfs filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems (similar to
cramfs). A squashfs image can be used without having
to first decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack
surface of the system. |
|
OVAL test results details
kernel module squashfs blacklisted
oval:ssg-test_kernmod_squashfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+squashfs$ | 1 |
kernel module squashfs disabled
oval:ssg-test_kernmod_squashfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module squashfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-82718-8
Disable Mounting of udf
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_udf_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | low |
| Identifiers: | CCE-82718-8 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 |
|
| Description |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
install udf /bin/false
This effectively prevents usage of this uncommon filesystem.
The udf filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats. |
| Rationale | Removing support for unneeded filesystem types reduces the local
attack surface of the system. |
|
OVAL test results details
kernel module udf blacklisted
oval:ssg-test_kernmod_udf_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+udf$ | 1 |
kernel module udf disabled
oval:ssg-test_kernmod_udf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+udf\s+(/bin/false|/bin/true)$ | 1 |
kernel module udf disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_udf_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+udf\s+(/bin/false|/bin/true)$ | 1 |
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-82719-6
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
| Time | 2025-10-23T19:36:00+00:00 |
| Severity | medium |
| Identifiers: | CCE-82719-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.21 | | disa | CCI-000778, CCI-001958, CCI-003959 | | hipaa | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030 | | pcidss4 | 3.4.2, 3.4 |
|
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
|
OVAL test results details
kernel module usb-storage blacklisted
oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+usb-storage$ | 1 |
kernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled mediumCCE-82530-7
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-coredump_disabled:def:1 |
| Time | 2025-10-23T19:36:31+00:00 |
| Severity | medium |
| Identifiers: | CCE-82530-7 |
| References: | |
| Description | The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. |
OVAL test results details
Test that the property LoadState from the systemd-coredump.socket is masked
oval:ssg-test_socket_loadstate_is_masked_systemd-coredump:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | systemd-coredump.socket | LoadState | loaded |
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-82529-9
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2025-10-23T19:36:31+00:00 |
| Severity | medium |
| Identifiers: | CCE-82529-9 |
| References: | |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
OVAL test results details
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/systemd/coredump.conf |
[Coredump]
#Storage=external
#Compress=yes
ProcessSizeMax=1G |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-82528-1
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2025-10-23T19:36:31+00:00 |
| Severity | medium |
| Identifiers: | CCE-82528-1 |
| References: | |
| Description | The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
OVAL test results details
tests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Storage setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_storage_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-82526-5
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_users_coredumps:def:1 |
| Time | 2025-10-23T19:36:31+00:00 |
| Severity | medium |
| Identifiers: | CCE-82526-5 |
| References: | | cis-csc | 1, 12, 13, 15, 16, 2, 7, 8 | | cobit5 | APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07 | | disa | CCI-000366 | | isa-62443-2013 | SR 6.2, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.17.2.1 | | nist | CM-6, SC-7(10) | | nist-csf | DE.CM-1, PR.DS-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 3.3.1.1, 3.3.1, 3.3 |
|
| Description | To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0
|
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
|
OVAL test results details
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core | 1 |
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file
oval:ssg-test_core_dumps_limitsconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/security/limits.conf | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-82498-7
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kptr_restrict:def:1 |
| Time | 2025-10-23T19:36:34+00:00 |
| Severity | medium |
| Identifiers: | CCE-82498-7 |
| References: | | disa | CCI-000366, CCI-002824, CCI-001082 | | nerc-cip | CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4 | | nist | SC-30, SC-30(2), SC-30(5), CM-6(a) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227 | | anssi | R9 |
|
| Description | To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1
|
| Rationale | Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0. |
OVAL test results details
kernel.kptr_restrict static configuration
oval:ssg-test_sysctl_kernel_kptr_restrict_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
|
kernel.kptr_restrict static configuration
oval:ssg-test_sysctl_kernel_kptr_restrict_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
|
kernel.kptr_restrict static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_kptr_restrict_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-redhat.conf | kernel.kptr_restrict = 1
|
kernel runtime parameter kernel.kptr_restrict set to the appropriate value
oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | kernel.kptr_restrict | 1 |
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument mediumCCE-82673-5
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_page_poison_kernel_argument:def:1 |
| Time | 2025-10-23T19:36:34+00:00 |
| Severity | medium |
| Identifiers: | CCE-82673-5 |
| References: | | nist | CM-6(a) | | app-srg-ctr | SRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610 |
|
| Description | To enable poisoning of free pages, add the argument page_poison=1 to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in /boot/loader/entries/*.conf. |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument page_poison=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern mediumCCE-82527-3
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_core_pattern:def:1 |
| Time | 2025-10-23T19:36:04+00:00 |
| Severity | medium |
| Identifiers: | CCE-82527-3 |
| References: | |
| Description | To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false
|
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
|
OVAL test results details
kernel.core_pattern static configuration
oval:ssg-test_sysctl_kernel_core_pattern_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1
|
kernel.core_pattern static configuration
oval:ssg-test_sysctl_kernel_core_pattern_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1
|
kernel.core_pattern static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_core_pattern_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/50-coredump.conf | kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
|
kernel runtime parameter kernel.core_pattern set to |/bin/false
oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.core_pattern | |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h |
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-82499-5
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_dmesg_restrict:def:1 |
| Time | 2025-10-23T19:36:07+00:00 |
| Severity | low |
| Identifiers: | CCE-82499-5 |
| References: | | cui | 3.1.5 | | disa | CCI-001082, CCI-001090 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | nist | SI-11(a), SI-11(b) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 | | app-srg-ctr | SRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610 | | anssi | R9 |
|
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
|
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
|
OVAL test results details
kernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.dmesg_restrict | 0 |
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-82500-0
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kexec_load_disabled:def:1 |
| Time | 2025-10-23T19:36:12+00:00 |
| Severity | medium |
| Identifiers: | CCE-82500-0 |
| References: | | disa | CCI-003992, CCI-000366 | | nist | CM-6 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153 |
|
| Description | To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1
|
| Rationale | Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
|
|
OVAL test results details
kernel.kexec_load_disabled static configuration
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
|
kernel.kexec_load_disabled static configuration
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
|
kernel.kexec_load_disabled static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.kexec_load_disabled set to 1
oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.kexec_load_disabled | 0 |
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid lowCCE-82502-6
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_perf_event_paranoid:def:1 |
| Time | 2025-10-23T19:36:15+00:00 |
| Severity | low |
| Identifiers: | CCE-82502-6 |
| References: | | disa | CCI-001082, CCI-001090 | | nist | AC-6 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 | | app-srg-ctr | SRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610 | | anssi | R9 |
|
| Description | To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2
|
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
|
OVAL test results details
kernel.perf_event_paranoid static configuration
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
|
kernel.perf_event_paranoid static configuration
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
|
kernel.perf_event_paranoid static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.perf_event_paranoid set to 2
oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | kernel.perf_event_paranoid | 2 |
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82504-2
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1 |
| Time | 2025-10-23T19:36:21+00:00 |
| Severity | medium |
| Identifiers: | CCE-82504-2 |
| References: | | disa | CCI-000366, CCI-001082 | | nist | AC-6, SC-7(10) | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 | | anssi | R9 |
|
| Description | To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1
|
| Rationale | Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state. |
|
OVAL test results details
kernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
|
kernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
|
kernel.unprivileged_bpf_disabled static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.unprivileged_bpf_disabled | 2 |
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-82501-8
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1 |
| Time | 2025-10-23T19:36:25+00:00 |
| Severity | medium |
| Identifiers: | CCE-82501-8 |
| References: | | disa | CCI-000366, CCI-001082 | | nist | SC-7(10) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 | | anssi | R11 |
|
| Description | To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1
|
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
|
|
OVAL test results details
kernel.yama.ptrace_scope static configuration
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
|
kernel.yama.ptrace_scope static configuration
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
|
kernel.yama.ptrace_scope static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/10-default-yama-scope.conf | kernel.yama.ptrace_scope = 0
|
kernel runtime parameter kernel.yama.ptrace_scope set to 1
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.yama.ptrace_scope | 0 |
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-82505-9
Harden the operation of the BPF just-in-time compiler
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_core_bpf_jit_harden:def:1 |
| Time | 2025-10-23T19:36:30+00:00 |
| Severity | medium |
| Identifiers: | CCE-82505-9 |
| References: | |
| Description | To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2
|
| Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms. |
|
OVAL test results details
net.core.bpf_jit_harden static configuration
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
|
net.core.bpf_jit_harden static configuration
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
|
net.core.bpf_jit_harden static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.core.bpf_jit_harden set to 2
oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.core.bpf_jit_harden | 1 |
Ensure SELinux Not Disabled in the kernel argumentsxccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument mediumCCE-83899-5
Ensure SELinux Not Disabled in the kernel arguments
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_enable_selinux_kernel_argument:def:1 |
| Time | 2025-10-23T19:36:34+00:00 |
| Severity | medium |
| Identifiers: | CCE-83899-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.7.2 | | disa | CCI-000022, CCI-000032 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-3, AC-3(3)(a) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 | | app-srg-ctr | SRG-APP-000233-CTR-000585, CNTR-OS-000540 | | bsi | APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21 |
|
| Description | SELinux can be disabled at boot time by disabling it via a kernel argument.
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot. |
| Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation. |
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument selinux=0 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-82532-3
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2025-10-23T19:36:34+00:00 |
| Severity | medium |
| Identifiers: | CCE-82532-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.7.2 | | disa | CCI-002696 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AC-3, AC-3(3)(a), AU-9, SC-7(21) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 | | ospp | FMT_MOF_EXT.1 | | os-srg | SRG-OS-000445-GPOS-00199 | | app-srg-ctr | SRG-APP-000233-CTR-000585, CNTR-OS-000540 | | anssi | R46, R64 | | bsi | APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21 | | pcidss4 | 1.2.6, 1.2 |
|
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
OVAL test results details
tests the value of SELINUXTYPE setting in the /etc/selinux/config file
oval:ssg-test_selinux_policytype:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/selinux/config | SELINUXTYPE=targeted |
The configuration file /etc/selinux/config exists for selinux_policytype
oval:ssg-test_selinux_policytype_config_file_exists:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/selinux/config | regular | 0 | 0 | 1263 | rw-r--r-- |
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-82531-5
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_state:def:1 |
| Time | 2025-10-23T19:36:34+00:00 |
| Severity | high |
| Identifiers: | CCE-82531-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.7.2 | | disa | CCI-002696, CCI-001084 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AC-3, AC-3(3)(a), AU-9, SC-7(21) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 | | ospp | FMT_MOF_EXT.1 | | os-srg | SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068 | | anssi | R37, R79 | | bsi | APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21 | | pcidss4 | 1.2.6, 1.2 | | app-srg-ctr | CNTR-OS-000540 |
|
| Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
|
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details
/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/selinux/config | SELINUX=enforcing |
Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled mediumCCE-82682-6
Enable the NTP Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_chronyd_or_ntpd_enabled:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82682-6 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.7 | | disa | CCI-000160 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | ism | 0988, 1405 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a), AU-8(1)(a), AU-12(1) | | nist-csf | PR.PT-1 | | pcidss | Req-10.4.1 | | app-srg-ctr | SRG-APP-000116-CTR-000235, CNTR-OS-000230, CNTR-OS-000240 | | anssi | R71 | | pcidss4 | 10.6.1, 10.6 |
|
| Description |
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
At the sh-4.4# prompt, run:
# chroot /host
Run the following command to determine the current status of the
chronyd service:
$ sudo systemctl is-active chronyd
If the service is running, it should return the following: active
Note: The chronyd daemon is enabled by default.
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
At the sh-4.4# prompt, run:
# chroot /host
Run the following command to determine the current status of the
ntpd service:
$ sudo systemctl is-active ntpd
If the service is running, it should return the following: active
Note: The ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd daemon might
be preferred to be used rather than the chronyd one. Refer to:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for guidance which NTP daemon to choose depending on the environment used. |
| Rationale | Enabling some of chronyd or ntpd services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd and ntpd NTP daemons offer all of the
functionality of ntpdate, which is now deprecated. |
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | chrony | x86_64 | (none) | 1.el9 | 4.6.1 | 0:4.6.1-1.el9 | 199e2f91fd431d51 | chrony-0:4.6.1-1.el9.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
package ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 of type
rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_ntpd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^ntpd\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only lowCCE-82465-6
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_client_only:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | low |
| Identifiers: | CCE-82465-6 |
| References: | | disa | CCI-000382, CCI-000381 | | nist | AU-8(1), AU-12(1) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 |
|
| Description | The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode. |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. |
|
OVAL test results details
check if port is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_client_only:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_port_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*port[\s]+(\S+) | 1 |
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network lowCCE-82466-4
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_no_chronyc_network:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | low |
| Identifiers: | CCE-82466-4 |
| References: | | disa | CCI-000382, CCI-000381 | | nist | CM-7(1) | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 |
|
| Description | The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc. |
| Rationale | Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface. |
|
OVAL test results details
check if cmdport is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_no_chronyc_network:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*cmdport[\s]+(\S+) | 1 |
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-82684-2
Configure Time Service Maxpoll Interval
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82684-2 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-001890, CCI-004926, CCI-004923 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a), AU-8(1)(b), AU-12(1) | | nist-csf | PR.PT-1 | | os-srg | SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146 |
|
| Description | The maxpoll should be configured to
10 in /etc/ntp.conf or
/etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/)
add the following after each server, pool or peer entry:
maxpoll 10
to server directives. If using chrony, any pool directives
should be configured too.
Note that if the remediation shipping with this content is being used, the
MachineConfig shipped does not include reference NTP servers to point
to. It is up to the admin to set these which will vary depending on the
cluster's requirements.
The aforementioned remediation does include the directory /etc/chrony.d
which would allow the creation of configuration files to set these servers.
If we'd like to set a configuration like the following:
pool 2.rhel.pool.ntp.org iburst
server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
This could be done with to the following manifest:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-chrony-servers
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
mode: 0600
path: /etc/chrony.d/10-rhel-pool-and-servers.conf
overwrite: true
Note that this needs to be done for each MachineConfigPool
|
| Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). |
|
OVAL test results details
check if maxpoll is set in /etc/ntp.conf
oval:ssg-test_ntp_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/ntp.conf
oval:ssg-test_ntp_all_server_has_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+[\s]+(.*) | 1 |
check if maxpoll is set in /etc/chrony.conf or /etc/chrony.d/
oval:ssg-test_chrony_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chrony_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^(/etc/chrony\.conf|/etc/chrony\.d/.+\.conf)$ | ^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/chrony.conf or /etc/chrony.d/
oval:ssg-test_chrony_all_server_has_maxpoll:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Specify Additional Remote NTP Serversxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers mediumCCE-82685-9
Specify Additional Remote NTP Servers
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82685-9 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | ism | 0988, 1405 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a), AU-8(1)(a), AU-8(2), AU-12(1) | | nist-csf | PR.PT-1 | | pcidss | Req-10.4.3 |
|
| Description | Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux CoreOS 4 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so,
perform the following:
- if the system is configured to use the
chronyd as the NTP daemon
(the default), edit the file /etc/chrony.conf as follows, - if the system is configured to use the
ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or
hostname of a remote NTP server for ntpserver:
server ntpserver
Note that if the remediation shipping with this content is being used, the
MachineConfig shipped does not include reference NTP servers to point
to. It is up to the admin to set these which will vary depending on the
cluster's requirements.
The aforementioned remediation does include the directory /etc/chrony.d
which would allow the creation of configuration files to set these servers.
If we'd like to set a configuration like the following:
pool 2.rhel.pool.ntp.org iburst
server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
This could be done with to the following manifest:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-chrony-servers
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
mode: 0600
path: /etc/chrony.d/10-rhel-pool-and-servers.conf
overwrite: true
Note that this needs to be done for each MachineConfigPool
|
| Rationale | Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems. |
|
OVAL test results details
Ensure more than one chronyd NTP server is set
oval:ssg-test_chronyd_multiple_servers:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_multiple_servers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/chrony\.(conf|d/.+\.conf)$ | ^([\s]*server[\s]+.+$){2,}$ | 1 |
Ensure more than one ntpd NTP server is set
oval:ssg-test_ntpd_multiple_servers:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntpd_multiple_servers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^([\s]*server[\s]+.+$){2,}$ | 1 |
Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server mediumCCE-82683-4
Specify a Remote NTP Server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82683-4 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.7 | | disa | CCI-000160, CCI-001891 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a), AU-8(1)(a), AU-8(2), AU-12(1) | | nist-csf | PR.PT-1 | | pcidss | Req-10.4.1, Req-10.4.3 | | app-srg-ctr | SRG-APP-000116-CTR-000235, CNTR-OS-000230, CNTR-OS-000240 |
|
| Description | Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux CoreOS 4 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
- if the system is configured to use the
chronyd as the NTP daemon (the
default), edit the file /etc/chrony.conf as follows, - if the system is configured to use the
ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote
NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
Note that if the remediation shipping with this content is being used, the
MachineConfig shipped does not include reference NTP servers to point
to. It is up to the admin to set these which will vary depending on the
cluster's requirements.
The aforementioned remediation does include the directory /etc/chrony.d
which would allow the creation of configuration files to set these servers.
If we'd like to set a configuration like the following:
pool 2.rhel.pool.ntp.org iburst
server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
This could be done with to the following manifest:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-chrony-servers
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
mode: 0600
path: /etc/chrony.d/10-rhel-pool-and-servers.conf
overwrite: true
Note that this needs to be done for each MachineConfigPool
|
| Rationale | Synchronizing with an NTP server makes it possible to collate system
logs from multiple sources or correlate computer events with real time events. |
OVAL test results details
Ensure at least one NTP server is set
oval:ssg-test_chronyd_remote_server:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Ensure at least one ntpd NTP server is set
oval:ssg-test_ntp_remote_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_remote_server:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^[\s]*server[\s]+.+$ | 1 |
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-82464-9
Set SSH Client Alive Count Max
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_keepalive:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82464-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cjis | 5.5.6 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.11 | | disa | CCI-001133, CCI-002361 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 | | pcidss4 | 8.2.8, 8.2 |
|
| Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message. |
| Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of ClientAliveCountMax is present
oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_set_keepalive:obj:1
|
Set SSH Client Alive Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-82549-7
Set SSH Client Alive Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_idle_timeout:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82549-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cjis | 5.5.6 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.11 | | disa | CCI-001133, CCI-002361, CCI-002891 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175 | | pcidss4 | 8.2.8, 8.2 |
|
| Description | SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 300
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting unresponsive clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
- Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
- Any
scp or sftp activity by the same user to the host resets the timeout.
|
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
timeout is configured
oval:ssg-test_sshd_idle_timeout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_idle_timeout:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
Verify that the value of ClientAliveInterval is present
oval:ssg-test_clientaliveinterval_present:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_idle_timeout:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_sshd_idle_timeout:obj:1
|
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of ClientAliveCountMax is present
oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_set_keepalive:obj:1
|
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-82665-1
Disable SSH Support for .rhosts Files
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_rhosts:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82665-1 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5, 9 | | cjis | 5.5.6 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.12 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 2.2.6, 2.2 |
|
| Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate
configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config:
IgnoreRhosts yes
|
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_rhosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of IgnoreRhosts is present
oval:ssg-test_IgnoreRhosts_present_sshd_disable_rhosts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_rhosts:obj:1
|
Limit Users' SSH Accessxccdf_org.ssgproject.content_rule_sshd_limit_user_access unknownCCE-82664-4
Limit Users' SSH Access
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_limit_user_access |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_limit_user_access:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | unknown |
| Identifiers: | CCE-82664-4 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.12 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-3, CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.PT-3 | | pcidss | Req-2.2.4 | | pcidss4 | 2.2.6, 2.2 |
|
| Description | By default, the SSH configuration allows any user with an account
to access the system. There are several options available to limit
which users and group can access the system via SSH. It is
recommended that at least one of the following options be leveraged:
- AllowUsers variable gives the system administrator the option of
allowing specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically allowing a user's access only from a
particular host, the entry can be specified in the form of user@host.
- AllowGroups variable gives the system administrator the option of
allowing specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable.
- DenyUsers variable gives the system administrator the option of
denying specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically denying a user's access from a
particular host, the entry can be specified in the form of user@host.
- DenyGroups variable gives the system administrator the option of
denying specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable. |
| Rationale | Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system. |
| Warnings | warning
Automated remediation is not available for this configuration check
because each system has unique user names and group names. |
OVAL test results details
Check if there is an AllowUsers entry
oval:ssg-test_allow_user_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_allow_user:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/ssh\/sshd_config.*$ | (?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is an AllowGroups entry
oval:ssg-test_allow_group_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_allow_group:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/ssh/sshd_config.*$ | (?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is a DenyUsers entry
oval:ssg-test_deny_user_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_deny_user:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/ssh/sshd_config.*$ | (?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Check if there is a DenyGroups entry
oval:ssg-test_deny_group_is_configured:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_deny_group:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/ssh/sshd_config.*$ | (?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$ | 1 |
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config medium
Verify Group Who Owns SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_sshd_config:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 |
|
| Description |
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing group ownership of /etc/ssh/sshd_config
oval:ssg-test_file_groupowner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1 |
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config medium
Verify Owner on SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_sshd_config:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 |
|
| Description |
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing user ownership of /etc/ssh/sshd_config
oval:ssg-test_file_owner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1 |
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config medium
Verify Permissions on SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_config:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | pcidss4 | 2.2.6, 2.2 |
|
| Description |
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results details
Testing mode of /etc/ssh/sshd_config
oval:ssg-test_file_permissions_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-exclude_symlinks__sshd_config:ste:1 | oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 |
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key medium
Verify Permissions on SSH Server Private *_key Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_private_key:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.13, 3.13.10 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | pcidss4 | 2.2.6, 2.2 |
|
| Description | SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter.
If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. |
| Rationale | If an unauthorized user obtains the private SSH host key file, the host could be
impersonated. |
| Warnings | warning
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. |
OVAL test results details
No keys that have unsafe ownership/permissions combination exist
oval:ssg-test_no_offending_keys:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_offending_keys:obj:1 of type
file_object
| Path | Filename | Filter | Filter | Filter |
|---|
| /etc/ssh | .*_key$ | oval:ssg-exclude_symlinks__sshd_private_key:ste:1 | oval:ssg-filter_ssh_key_owner_root:ste:1 | oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1 |
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key medium
Verify Permissions on SSH Server Public *.pub Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_pub_key:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.13, 3.13.10 | | disa | CCI-000366 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | pcidss4 | 2.2.6, 2.2 |
|
| Description | To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
|
| Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
| Warnings | warning
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. |
OVAL test results details
Testing mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh | ^.*\.pub$ | oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 | oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 |
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82524-0
Install usbguard Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_usbguard_installed:def:1 |
| Time | 2025-10-23T19:36:43+00:00 |
| Severity | medium |
| Identifiers: | CCE-82524-0 |
| References: | | disa | CCI-001958, CCI-003959 | | ism | 1418 | | nist | CM-8(3), IA-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000378-GPOS-00163 | | app-srg-ctr | SRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030 |
|
| Description |
The usbguard package can be installed with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-usbguard-install
spec:
config:
ignition:
version: 3.1.0
extensions:
- usbguard
This will install the usbguard package in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.
|
|
OVAL test results details
package usbguard is installed
oval:ssg-test_package_usbguard_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type
rpminfo_object
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82537-2
Enable the USBGuard Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_usbguard_enabled:def:1 |
| Time | 2025-10-23T19:36:48+00:00 |
| Severity | medium |
| Identifiers: | CCE-82537-2 |
| References: | | disa | CCI-001958, CCI-003959 | | ism | 1418 | | nist | CM-8(3)(a), IA-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000378-GPOS-00163 | | app-srg-ctr | SRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030 |
|
| Description | The USBGuard service should be enabled.
The usbguard service can be enabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-usbguard-enable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: usbguard.service
enabled: true
This will enable the usbguard service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices. |
|
OVAL test results details
package usbguard is installed
oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 of type
rpminfo_object
Test that the usbguard service is running
oval:ssg-test_service_running_usbguard:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_usbguard:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^usbguard\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_usbguard:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
systemd test
oval:ssg-test_multi_user_wants_usbguard_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend lowCCE-82538-0
Log USBGuard daemon audit events using Linux Audit
| Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
| Result | |
| Multi-check rule | no |
| Time | 2025-10-23T19:36:48+00:00 |
| Severity | low |
| Identifiers: | CCE-82538-0 |
| References: | | disa | CCI-000169 | | nist | AU-2, CM-8(3), IA-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030 |
|
| Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit. |
| Rationale | Using the Linux Audit logging allows for centralized trace
of events. |
Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-82539-8
Authorize Human Interface Devices and USB hubs in USBGuard daemon
| Rule ID | xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-usbguard_allow_hid_and_hub:def:1 |
| Time | 2025-10-23T19:36:48+00:00 |
| Severity | medium |
| Identifiers: | CCE-82539-8 |
| References: | | nist | CM-8(3), IA-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000114-GPOS-00059 | | app-srg-ctr | SRG-APP-000092-CTR-000165, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030 |
|
| Description | To allow authorization of USB devices combining human interface device and hub capabilities
by USBGuard daemon,
add the line
allow with-interface match-all { 03:*:* 09:00:* }
to /etc/usbguard/rules.conf. |
| Rationale | Without allowing Human Interface Devices, it might not be possible
to interact with the system. Without allowing hubs, it might not be possible to use any
USB devices on the system. |
| Warnings | warning
This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind. |
|
OVAL test results details
Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists
oval:ssg-test_usbguard_rules_nonempty:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/usbguard/(rules|rules\.d/.*)\.conf$ | ^.*\S+.*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-82556-2
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82556-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-82557-0
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82557-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-82558-8
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82558-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-82559-6
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82559-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-82560-4
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82560-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-82561-2
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82561-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-82562-0
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82562-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-82563-8
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82563-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-82564-6
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82564-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-82565-3
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82565-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-82566-1
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82566-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-82567-9
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82567-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-82568-7
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82568-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, CNTR-OS-000160, CNTR-OS-000930 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-82569-5
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82569-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-82570-3
Record Any Attempts to Run restorecon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_restorecon:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82570-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules restorecon
oval:ssg-test_audit_rules_execution_restorecon_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules restorecon
oval:ssg-test_audit_rules_execution_restorecon_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl restorecon
oval:ssg-test_audit_rules_execution_restorecon_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl restorecon
oval:ssg-test_audit_rules_execution_restorecon_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-82571-1
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_semanage:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82571-1 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-82572-9
Record Any Attempts to Run setfiles
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setfiles:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82572-9 |
| References: | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setfiles
oval:ssg-test_audit_rules_execution_setfiles_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules setfiles
oval:ssg-test_audit_rules_execution_setfiles_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setfiles
oval:ssg-test_audit_rules_execution_setfiles_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl setfiles
oval:ssg-test_audit_rules_execution_setfiles_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-82573-7
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setsebool:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82573-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare mediumCCE-82574-5
Record Any Attempts to Run seunshare
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_seunshare:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82574-5 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules seunshare
oval:ssg-test_audit_rules_execution_seunshare_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules seunshare
oval:ssg-test_audit_rules_execution_seunshare_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl seunshare
oval:ssg-test_audit_rules_execution_seunshare_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl seunshare
oval:ssg-test_audit_rules_execution_seunshare_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-82575-2
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82575-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-82576-0
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82576-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-82577-8
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rmdir:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82577-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-82578-6
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82578-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-82579-4
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82579-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Unsuccessful Permission Changes to Files - chmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod mediumCCE-82619-8
Record Unsuccessful Permission Changes to Files - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82619-8 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Ownership Changes to Files - chownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown mediumCCE-82620-6
Record Unsuccessful Ownership Changes to Files - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82620-6 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-82621-4
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82621-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - fchmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod mediumCCE-82622-2
Record Unsuccessful Permission Changes to Files - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82622-2 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat mediumCCE-82624-8
Record Unsuccessful Permission Changes to Files - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82624-8 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Ownership Changes to Files - fchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown mediumCCE-82625-5
Record Unsuccessful Ownership Changes to Files - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82625-5 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Ownership Changes to Files - fchownatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat mediumCCE-82626-3
Record Unsuccessful Ownership Changes to Files - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82626-3 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr mediumCCE-82627-1
Record Unsuccessful Permission Changes to Files - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82627-1 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr mediumCCE-82628-9
Record Unsuccessful Permission Changes to Files - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82628-9 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-82629-7
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82629-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Ownership Changes to Files - lchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown mediumCCE-82630-5
Record Unsuccessful Ownership Changes to Files - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82630-5 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr mediumCCE-82631-3
Record Unsuccessful Permission Changes to Files - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82631-3 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr mediumCCE-82632-1
Record Unsuccessful Permission Changes to Files - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82632-1 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-82633-9
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82633-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-82640-4
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82640-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat mediumCCE-82641-2
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82641-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write mediumCCE-82642-0
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82642-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order mediumCCE-82643-8
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82643-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_aug | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_auge | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_aug | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_auge | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Creation Attempts to Files - open O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat mediumCCE-82644-6
Record Unsuccessful Creation Attempts to Files - open O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82644-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect unauthorized file accesses for
all users and root. The open syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write mediumCCE-82645-3
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82645-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The open syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order mediumCCE-82646-1
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82646-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:v | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:va | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1) | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:va | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-82634-7
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82634-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Creation Attempts to Files - openat O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat mediumCCE-82635-4
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82635-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect unauthorized file accesses for
all users and root. The openat syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write mediumCCE-82636-2
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82636-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The openat syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order mediumCCE-82639-6
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82639-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172 |
|
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via openat syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of openat syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_reg | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_rege | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_reg | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_rege | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Permission Changes to Files - removexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr mediumCCE-82647-9
Record Unsuccessful Permission Changes to Files - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82647-9 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Delete Attempts to Files - renamexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename mediumCCE-82648-7
Record Unsuccessful Delete Attempts to Files - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82648-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 |
|
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Delete Attempts to Files - renameatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat mediumCCE-82649-5
Record Unsuccessful Delete Attempts to Files - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82649-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 |
|
| Description |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Permission Changes to Files - setxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr mediumCCE-82650-3
Record Unsuccessful Permission Changes to Files - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82650-3 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), CM-6(a) |
|
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-82651-1
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82651-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Delete Attempts to Files - unlinkxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink mediumCCE-82652-9
Record Unsuccessful Delete Attempts to Files - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82652-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 |
|
| Description |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Delete Attempts to Files - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat mediumCCE-82653-7
Record Unsuccessful Delete Attempts to Files - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82653-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 |
|
| Description |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-82580-2
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82580-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980 | | anssi | R73 |
|
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-82581-0
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_finit:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82581-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980 | | anssi | R73 |
|
| Description | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
|
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-82582-8
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82582-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980 | | anssi | R73 |
|
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-82583-6
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82583-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 | | app-srg-ctr | SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, CNTR-OS-000970, CNTR-OS-001000 | | anssi | R73 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/run/faillock -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules var_accounts_passwords_pam_faillock_dir
oval:ssg-test_audit_rules_login_events_faillock_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_faillock_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/run/faillock | | ^\-w[\s]+/var/run/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl var_accounts_passwords_pam_faillock_dir
oval:ssg-test_audit_rules_login_events_faillock_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_faillock_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/run/faillock | | ^\-w[\s]+/var/run/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ |
| /etc/audit/audit.rules | 1 |
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-82584-4
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82584-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, CNTR-OS-000930, CNTR-OS-000970, CNTR-OS-001000 | | anssi | R73 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/log/lastlog -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog
oval:ssg-test_audit_rules_login_events_lastlog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_lastlog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog
oval:ssg-test_audit_rules_login_events_lastlog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_lastlog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-82585-1
Record Attempts to Alter Logon and Logout Events - tallylog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_tallylog:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82585-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 | | app-srg-ctr | SRG-APP-000503-CTR-001275, CNTR-OS-000970 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/log/tallylog -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules tallylog
oval:ssg-test_audit_rules_login_events_tallylog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_tallylog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl tallylog
oval:ssg-test_audit_rules_login_events_tallylog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_tallylog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - atxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at mediumCCE-82590-1
Ensure auditd Collects Information on the Use of Privileged Commands - at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_at:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82590-1 |
| References: | | disa | CCI-000172 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules at
oval:ssg-test_audit_rules_privileged_commands_at_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules at
oval:ssg-test_audit_rules_privileged_commands_at_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl at
oval:ssg-test_audit_rules_privileged_commands_at_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl at
oval:ssg-test_audit_rules_privileged_commands_at_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-82591-9
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chage:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82591-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000960 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-82592-7
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chsh:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82592-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-82593-5
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_crontab:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82593-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-82594-3
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_gpasswd:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82594-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount mediumCCE-82595-0
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_mount:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82595-0 |
| References: | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, CNTR-OS-000080 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules mount
oval:ssg-test_audit_rules_privileged_commands_mount_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules mount
oval:ssg-test_audit_rules_privileged_commands_mount_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl mount
oval:ssg-test_audit_rules_privileged_commands_mount_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl mount
oval:ssg-test_audit_rules_privileged_commands_mount_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap mediumCCE-82596-8
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgidmap:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82596-8 |
| References: | | disa | CCI-000172 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-82597-6
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgrp:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82597-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap mediumCCE-82598-4
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newuidmap:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82598-4 |
| References: | | disa | CCI-000172 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-82599-2
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82599-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-82600-8
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_passwd:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82600-8 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-82601-6
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postdrop:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82601-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-82602-4
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postqueue:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82602-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown mediumCCE-82603-2
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_pt_chown:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82603-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000135, CCI-000172, CCI-002884 | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000950, CNTR-OS-000960 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-82604-0
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82604-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-82605-7
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_su:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82605-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-82606-5
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudo:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82606-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950 | | anssi | R33 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-82607-3
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudoedit:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82607-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-82608-1
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_umount:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82608-1 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, CNTR-OS-000080 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-82609-9
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82609-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5 | | nist | AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-82610-7
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_userhelper:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82610-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl mediumCCE-82611-5
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_usernetctl:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82611-5 |
| References: | | disa | CCI-000172 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d, setting ARCH to either b32
for 32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules, setting ARCH to either
b32 for 32-bit system, or having two lines for both b32 and b64 in case
your system is 64-bit:
-a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-82614-9
Record attempts to alter time through adjtimex
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_adjtimex:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82614-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001487, CCI-000169 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.4.2.b | | anssi | R73 | | pcidss4 | 10.6.3, 10.6 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-82615-6
Record Attempts to Alter Time Through clock_settime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_clock_settime:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82615-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001487, CCI-000169 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.4.2.b | | anssi | R73 | | pcidss4 | 10.6.3, 10.6 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-82616-4
Record attempts to alter time through settimeofday
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_settimeofday:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82616-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001487, CCI-000169 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.4.2.b | | pcidss4 | 10.6.3, 10.6 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-82617-2
Record Attempts to Alter Time Through stime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_stime:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82617-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001487, CCI-000169 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.4.2.b | | anssi | R73 | | pcidss4 | 10.6.3, 10.6 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
OVAL test results details
32 bit architecture
oval:ssg-test_system_info_architecture_x86:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit stime
oval:ssg-test_32bit_art_stime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit stime
oval:ssg-test_32bit_art_stime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-82618-0
Record Attempts to Alter the localtime File
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_watch_localtime:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82618-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001487, CCI-000169 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.4.2.b | | anssi | R73 | | pcidss4 | 10.6.3, 10.6 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/localtime -p wa -k audit_time_rules
|
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules localtime
oval:ssg-test_audit_rules_time_watch_localtime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_time_watch_localtime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/localtime[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl localtime
oval:ssg-test_audit_rules_time_watch_localtime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_time_watch_localtime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/localtime[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open mediumCCE-82700-6
Record Events that Modify User/Group Information via open syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_open:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82700-6 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at mediumCCE-82702-2
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82702-2 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/group file for all group and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat mediumCCE-82701-4
Record Events that Modify User/Group Information via openat syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_openat:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82701-4 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open mediumCCE-82703-0
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_open:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82703-0 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at mediumCCE-82705-5
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82705-5 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat mediumCCE-82704-8
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_openat:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82704-8 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open mediumCCE-82706-3
Record Events that Modify User/Group Information via open syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_open:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82706-3 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at mediumCCE-82708-9
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82708-9 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat mediumCCE-82707-1
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_openat:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82707-1 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open mediumCCE-82709-7
Record Events that Modify User/Group Information via open syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_open:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82709-7 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at mediumCCE-82711-3
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82711-3 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat mediumCCE-82710-5
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_openat:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82710-5 |
| References: | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) |
|
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-82668-5
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82668-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1, 3.4.3 | | disa | CCI-000163, CCI-000164, CCI-000162 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.2 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 | | app-srg-ctr | SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, CNTR-OS-000310 | | anssi | R73 | | pcidss4 | 10.3.2, 10.3 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-e\s+2\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-e\s+2\s*$ | 1 |
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-82586-9
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_mac_modification:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82586-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.8 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
|
| Rationale | The system's mandatory access policy (SELinux or Apparmor) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules
oval:ssg-test_armm_selinux_watch_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl
oval:ssg-test_armm_selinux_watch_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-82587-7
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_media_export:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82587-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235, CNTR-OS-000930 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 |
|
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 for
32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for
32-bit system, or having two lines for both b32 and b64 in case your
system is 64-bit:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
|
| Rationale | The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit mount
oval:ssg-test_32bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit mount
oval:ssg-test_64bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit mount
oval:ssg-test_32bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit mount
oval:ssg-test_64bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-82588-5
Record Events that Modify the System's Network Environment
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_networkconfig_modification:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82588-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | anssi | R73 | | pcidss4 | 10.3.4, 10.3 |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for
32-bit system, or having two lines for both b32 and b64 in case your system
is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 for
32-bit system, or having two lines for both b32 and b64 in case your system
is 64-bit:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
| Rationale | The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/issue augenrules
oval:ssg-test_arnm_etc_issue_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net augenrules
oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts augenrules
oval:ssg-test_arnm_etc_hosts_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network augenrules
oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/issue auditctl
oval:ssg-test_arnm_etc_issue_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net auditctl
oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts auditctl
oval:ssg-test_arnm_etc_hosts_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network auditctl
oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-82612-3
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_session_events:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82612-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | ism | 0582, 0584, 05885, 0586, 0846, 0957 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | app-srg-ctr | SRG-APP-000505-CTR-001285, CNTR-OS-000990 | | anssi | R73 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 |
|
| Description | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules utmp
oval:ssg-test_arse_utmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules btmp
oval:ssg-test_arse_btmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules wtmp
oval:ssg-test_arse_wtmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl utmp
oval:ssg-test_arse_utmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl btmp
oval:ssg-test_arse_btmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl wtmp
oval:ssg-test_arse_wtmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-82613-1
Ensure auditd Collects System Administrator Actions
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_sysadmin_actions:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82613-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.2, Req-10.2.5.b | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305, CNTR-OS-000050, CNTR-OS-000060, CNTR-OS-000070 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/sudoers.d/ -p wa -k actions
|
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers
oval:ssg-test_audit_rules_sudoers_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sudoers_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers_d
oval:ssg-test_audit_rules_sudoers_d_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers_d
oval:ssg-test_audit_rules_sudoers_d_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-82654-5
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_group:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82654-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/group -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-82655-2
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82655-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-82656-0
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82656-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000970 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-82657-8
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_passwd:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82657-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-82658-6
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_shadow:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82658-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | disa | CCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970 | | anssi | R73 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Access Events to Audit Log Directoryxccdf_org.ssgproject.content_rule_directory_access_var_log_audit mediumCCE-82712-1
Record Access Events to Audit Log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_directory_access_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_access_var_log_audit:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82712-1 |
| References: | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | pcidss4 | 10.3.1, 10.3 |
|
| Description | The audit system should collect access events to read audit log directory.
The following audit rule will assure that access to audit log directory are
collected.
Set ARCH to either b32 for 32-bit system, or have two lines for both b32 and b64 in case your system is 64-bit.
-a always,exit -F arch=ARCH -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file. |
| Rationale | Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.' |
|
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules
oval:ssg-test_directory_access_var_log_audit_augenrules_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_access_var_log_audit_augenrules_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit augenrules
oval:ssg-test_directory_access_var_log_audit_augenrules_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_access_var_log_audit_augenrules_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl
oval:ssg-test_directory_access_var_log_audit_auditctl_32bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_access_var_log_audit_auditctl_32bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type
uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type
uname_object
audit auditctl
oval:ssg-test_directory_access_var_log_audit_auditctl_64bit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_access_var_log_audit_auditctl_64bit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit mediumCCE-82692-5
System Audit Logs Must Have Mode 0750 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_permissions_var_log_audit:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82692-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | disa | CCI-000162, CCI-000163, CCI-000164 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5 | | nist | CM-6(a), AC-6(1), AU-9 | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 |
|
| Description |
If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0750 /var/log/audit
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0700 /var/log/audit
|
| Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_audit_log-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_directory-non_root:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| /var/log/audit/audit.log | | /var/log/audit |
| no value | no value | oval:ssg-state_not_mode_0750:ste:1 |
/var/log/audit mode 0700
oval:ssg-test_dir_permissions_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_directory:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| /var/log/audit/audit.log | | /var/log/audit |
| no value | no value | oval:ssg-state_not_mode_0700:ste:1 |
/var/log/audit mode 0700
oval:ssg-test_dir_permissions_var_log_audit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_not_mode_0700:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory-non_root:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_not_mode_0750:ste:1 |
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-82691-7
System Audit Logs Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_var_log_audit:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82691-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | cui | 3.3.1 | | disa | CCI-000162, CCI-000163, CCI-000164, CCI-001314 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1), AU-9(4) | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.1 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 | | app-srg-ctr | SRG-APP-000118-CTR-000240, CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300 | | pcidss4 | 10.3.2, 10.3 |
|
| Description | All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/ .
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/*
|
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results details
/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_ownership_var_log_audit_files:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 |
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /var/log/audit/audit.log.2 | regular | 0 | 0 | 8388857 | r-------- |
| not evaluated | /var/log/audit/audit.log.1 | regular | 0 | 0 | 8388964 | r-------- |
| not evaluated | /var/log/audit/audit.log | regular | 0 | 0 | 511486 | rw------- |
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /var/log/audit/ | directory | 0 | 0 | 61 | rwx------ |
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-82690-9
System Audit Logs Must Have Mode 0640 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_var_log_audit:def:1 |
| Time | 2025-10-23T19:36:54+00:00 |
| Severity | medium |
| Identifiers: | CCE-82690-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | cui | 3.3.1 | | disa | CCI-000163, CCI-000164, CCI-001314, CCI-000162 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1), AU-9(4) | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | | app-srg-ctr | SRG-APP-000118-CTR-000240, CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300 | | pcidss4 | 10.3.1, 10.3 |
|
| Description |
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct
permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log". |
| Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files mode 0600
oval:ssg-test_file_permissions_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_files:obj:1 of type
file_object
| Filepath | Filter |
|---|
| /var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
default audit log files mode 0600
oval:ssg-test_file_permissions_default_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_default_log_files:obj:1 of type
file_object
| Filepath | Filter |
|---|
| /var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-82679-2
Configure auditd Disk Error Action on Disk Error
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_error_action:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82679-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000140 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | os-srg | SRG-OS-000047-GPOS-00023 | | app-srg-ctr | SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670 |
|
| Description | The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include
syslog, exec, single, and halt
For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records. |
|
OVAL test results details
disk full action
oval:ssg-test_auditd_data_disk_error_action:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_error_action = SUSPEND |
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-82676-8
Configure auditd Disk Full Action when Disk Space Is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_full_action:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82676-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000140 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | os-srg | SRG-OS-000047-GPOS-00023 |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include
syslog, exec, single, and halt
For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records. |
|
OVAL test results details
disk error action
oval:ssg-test_auditd_data_disk_full_action:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_full_action = SUSPEND |
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-82677-6
Configure auditd admin_space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_action:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82677-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | disa | CCI-001855 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | pcidss4 | 10.5.1, 10.5 |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur. |
|
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | admin_space_left_action = SUSPEND |
Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-82508-3
Configure auditd flush priority
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_flush:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82508-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1 | | disa | CCI-001576 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AU-11, CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | ospp | FAU_GEN.1 | | os-srg | SRG-OS-000480-GPOS-00227 |
|
| Description | The auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = incremental_async
|
| Rationale | Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk. |
OVAL test results details
test the value of flush parameter in /etc/audit/auditd.conf
oval:ssg-test_auditd_data_retention_flush:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | flush = INCREMENTAL_ASYNC |
Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-82694-1
Configure auditd Max Log File Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82694-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7 | | nerc-cip | CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AU-11, CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 |
|
| Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of 6 for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
| Rationale | The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained. |
OVAL test results details
max log file size
oval:ssg-test_auditd_data_retention_max_log_file:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | max_log_file = 8 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-82680-0
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82680-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-000140 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000047-GPOS-00023 |
|
| Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
ignoresyslogsuspendrotatekeep_logs
Set the ACTION to rotate.
The setting is case-insensitive. |
| Rationale | Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | max_log_file_action = ROTATE |
Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-82693-3
Configure auditd Number of Logs Retained
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_num_logs:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82693-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7 | | nerc-cip | CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AU-11, CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 |
|
| Description | Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of 5:
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation. |
| Rationale | The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained. |
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_num_logs:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | num_logs = 5 |
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-82681-8
Configure auditd space_left on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82681-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | disa | CCI-001855 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | pcidss4 | 10.5.1, 10.5 |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to
notify the user of an issue. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption. |
|
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_space_left:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | space_left = 75 |
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-82678-4
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82678-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | disa | CCI-001855 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | pcidss4 | 10.5.1, 10.5 |
|
| Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_space_left_action:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | space_left_action = SYSLOG |
Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-82512-5
Set number of records to cause an explicit flush to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_freq |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_freq:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82512-5 |
| References: | |
| Description | To configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set freq to 50
in /etc/audit/auditd.conf. |
| Rationale | If option freq isn't set to 50, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss. |
OVAL test results details
tests the value of freq setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_freq:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | freq = 50 |
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82509-1
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_local_events:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82509-1 |
| References: | | disa | CCI-000366, CCI-000169 | | nist | CM-6 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227 |
|
| Description | To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If option local_events isn't set to yes only events from
network will be aggregated. |
OVAL test results details
tests the value of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | local_events = yes |
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-82511-7
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_log_format:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | low |
| Identifiers: | CCE-82511-7 |
| References: | | disa | CCI-000366, CCI-001487 | | nist | CM-6, AU-3 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670 |
|
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf. |
| Rationale | If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them. |
OVAL test results details
tests the value of log_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_log_format:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | log_format = ENRICHED |
Set type of computer node name logging in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82513-3
Set type of computer node name logging in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_name_format:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82513-3 |
| References: | | disa | CCI-000132, CCI-001851 | | nist | CM-6, AU-3 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | pcidss4 | 10.2.2, 10.2 |
|
| Description | To configure Audit daemon to use a unique identifier
as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf. |
| Rationale | If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish. |
| Warnings | warning
Whenever the variable var_auditd_name_format uses a multiple value option, for example
A|B|C , the first value will be used when remediating this rule. |
|
OVAL test results details
tests the value of name_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_name_format:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | name_format = NONE |
Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-82510-9
Write Audit Logs to the Disk
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_write_logs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_write_logs:def:1 |
| Time | 2025-10-23T19:36:55+00:00 |
| Severity | medium |
| Identifiers: | CCE-82510-9 |
| References: | |
| Description | To configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If write_logs isn't set to yes, the Audit logs will
not be written to the disk. |
OVAL test results details
tests the value of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | write_logs = yes |
tests the absence of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | write_logs = |
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-82669-3
Ensure the audit Subsystem is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_audit_installed:def:1 |
| Time | 2025-10-23T19:36:48+00:00 |
| Severity | medium |
| Identifiers: | CCE-82669-3 |
| References: | | disa | CCI-000133, CCI-001881, CCI-001875, CCI-000154, CCI-001882, CCI-000158, CCI-001914, CCI-000169, CCI-001464, CCI-001878, CCI-001877, CCI-001889, CCI-000135, CCI-002884, CCI-001487, CCI-003938, CCI-000132, CCI-000134, CCI-000172, CCI-000130, CCI-000131, CCI-001879, CCI-001880, CCI-001876, CCI-000159 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | nerc-cip | CIP-004-6 R3.3, CIP-007-3 R6.5 | | nist | AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a) | | ospp | FAU_GEN.1 | | pcidss | Req-10.1 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | anssi | R33, R73 | | pcidss4 | 10.2.1, 10.2 |
|
| Description | The audit package should be installed. |
| Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
OVAL test results details
package audit is installed
oval:ssg-test_package_audit_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | audit | x86_64 | (none) | 4.el9 | 3.1.5 | 0:3.1.5-4.el9 | 199e2f91fd431d51 | audit-0:3.1.5-4.el9.x86_64 |
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-82463-1
Enable auditd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_auditd_enabled:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82463-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1, 3.3.2, 3.3.6 | | disa | CCI-000133, CCI-001881, CCI-001875, CCI-000154, CCI-001882, CCI-000158, CCI-001914, CCI-000169, CCI-001464, CCI-001878, CCI-001877, CCI-001889, CCI-000135, CCI-002884, CCI-001487, CCI-003938, CCI-000132, CCI-004188, CCI-000134, CCI-000172, CCI-000130, CCI-000131, CCI-001879, CCI-001880, CCI-001876 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nerc-cip | CIP-004-6 R3.3, CIP-007-3 R6.5 | | nist | AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | ospp | FAU_GEN.1 | | pcidss | Req-10.1 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | app-srg-ctr | SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310, CNTR-OS-000150, CNTR-OS-000180 | | anssi | R33, R73 | | pcidss4 | 10.2.1, 10.2 |
|
| Description | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-auditd-enable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: auditd.service
enabled: true
This will enable the auditd service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.
|
| Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. |
OVAL test results details
package audit is installed
oval:ssg-test_service_auditd_package_audit_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | audit | x86_64 | (none) | 4.el9 | 3.1.5 | 0:3.1.5-4.el9 | 199e2f91fd431d51 | audit-0:3.1.5-4.el9.x86_64 |
Test that the auditd service is running
oval:ssg-test_service_running_auditd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | auditd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_auditd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
systemd test
oval:ssg-test_multi_user_wants_auditd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | var.mount | sysinit.target | integritysetup.target | systemd-sysctl.service | ldconfig.service | systemd-pstore.service | systemd-binfmt.service | systemd-update-utmp.service | systemd-journal-catalog-update.service | systemd-journald.service | dev-hugepages.mount | systemd-pcrphase.service | selinux-autorelabel-mark.service | local-fs.target | ostree-remount.service | tmp.mount | boot.mount | systemd-remount-fs.service | systemd-pcrmachine.service | cryptsetup.target | clevis-luks-askpass.path | systemd-tmpfiles-setup-dev.service | systemd-ask-password-console.path | lvm2-lvmpolld.socket | dev-mqueue.mount | systemd-tmpfiles-setup.service | sys-kernel-tracing.mount | systemd-udev-trigger.service | systemd-hwdb-update.service | systemd-journal-flush.service | dracut-shutdown.service | sys-kernel-debug.mount | veritysetup.target | systemd-repart.service | sys-fs-fuse-connections.mount | systemd-machine-id-commit.service | ignition-delete-config.service | systemd-update-done.service | sys-kernel-config.mount | swap.target | kmod-static-nodes.service | systemd-network-generator.service | systemd-pcrphase-sysinit.service | iscsi-onboot.service | lvm2-monitor.service | systemd-modules-load.service | systemd-udevd.service | systemd-boot-update.service | multipathd.service | systemd-sysusers.service | coreos-printk-quiet.service | systemd-random-seed.service | systemd-boot-random-seed.service | proc-sys-fs-binfmt_misc.automount | slices.target | -.slice | system.slice | coreos-ignition-firstboot-complete.service | microcode.service | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | logrotate.timer | paths.target | sockets.target | iscsid.socket | systemd-initctl.socket | iscsiuio.socket | systemd-coredump.socket | dbus.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | systemd-udevd-control.socket | systemd-journald.socket | systemd-udevd-kernel.socket | coreos-update-ca-trust.service | afterburn-sshkeys.target | getty.target | serial-getty@ttyS0.service | getty@tty1.service | chronyd.service | coreos-liveiso-success.service | systemd-update-utmp-runlevel.service | console-login-helper-messages-gensnippet-ssh-keys.service | NetworkManager.service | remote-fs.target | afterburn-firstboot-checkin.service | kubelet-cleanup.service | ostree-readonly-sysroot-migration.service | irqbalance.service | systemd-logind.service | mdmonitor.service | crio-subid.service | systemd-ask-password-wall.path | afterburn-checkin.service | sssd.service | rpm-ostree-fix-shadow-mode.service | auditd.service | ostree-boot-complete.service | vmtoolsd.service | kubelet.service | rhsmcertd.service | bootc-status-updated.path | gcp-routes.service | openvswitch.service | bootc-status-updated-onboot.target | coreos-ignition-delete-config.service | remote-cryptsetup.target | coreos-platform-chrony-config.service | sshd.service | systemd-user-sessions.service | coreos-ignition-write-issues.service |
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument mediumCCE-82671-9
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82671-9 |
| References: | | nist | CM-6(a) | | os-srg | SRG-OS-000254-GPOS-00095 | | app-srg-ctr | SRG-APP-000092-CTR-000165, CNTR-OS-000170, CNTR-OS-000220 |
|
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in /boot/loader/entries/*.conf. |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument audit_backlog_limit=8192 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_coreos_audit_option mediumCCE-82670-1
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_coreos_audit_option |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coreos_audit_option:def:1 |
| Time | 2025-10-23T19:36:53+00:00 |
| Severity | medium |
| Identifiers: | CCE-82670-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1 | | disa | CCI-001464, CCI-000130 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nerc-cip | CIP-004-6 R3.3, CIP-007-3 R7.1 | | nist | AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1) | | nist-csf | DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.3 | | app-srg-ctr | SRG-APP-000092-CTR-000165, CNTR-OS-000170, CNTR-OS-000220 |
|
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in /boot/loader/entries/*.conf. |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
|
OVAL test results details
Check if /boot/loader/entries/ostree-2.*.conf does not exist
oval:ssg-test_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/loader/entries/ostree-2.*.conf |
Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf
oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/ostree-1.conf | options rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0 |
Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf
oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/boot/loader/entries/ostree-2.*.conf | ^options (.*)$ | 1 |
Check if argument audit=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline
oval:ssg-test_coreos_audit_option_audit_1_argument_in_proc_cmdline:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /proc/cmdline | BOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0 |
Scroll back to the first rule